Menu
Enterprise

Secure Grafana Enterprise Metrics

These sections explain how to secure Grafana Mimir data and communication paths.

Securing GEM shares a lot of similarities with securing Grafana Mimir. For more information, see Secure Grafana Mimir.

Securing communications with TLS

In addition to the steps in Secure Grafana Mimir, you must also configure TLS for the following GEM features.

Self-instrumentation

Each GEM component can optionally remote-write its system metrics to the distributor under a system tenant ID. To secure the from each component to the distributor with TLS set the following YAML parameters flags or their corresponding CLI flags. To set these YAML parameters in the mimir-distributed Helm chart nest them under mimir.structuredConfig in your values.yaml file.

yaml
instrumentation:
  distributor_client:
    tls_enabled: true
    tls_cert_path: /path/to/cert
    tls_key_path: /path/to/key
    tls_ca_path: /path/to/ca

    # The following flags are also available but are not required.
    tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    tls_min_version: VersionTLS13
    tls_server_name: distributor.example.com
    tls_insecure_skip_verify: false

Gateway

The gateway proxies incoming requests to the different GEM components. The connections to each component can be secured with TLS. The configuration for each component is identical. The configuration options for each component is prefixed as follows. To set these YAML parameters in the mimir-distributed Helm chart nest them under mimir.structuredConfig in your values.yaml file.

yaml
gateway:
  proxy:
    <component_name>:
      tls_enabled: true
      tls_cert_path: /path/to/cert
      tls_key_path: /path/to/key
      tls_ca_path: /path/to/ca

      # The following flags are available but are not required.
      tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      tls_min_version: VersionTLS13
      tls_server_name: component.example.com
      tls_insecure_skip_verify: false

For example, to set the distributor TLS configuration, you would set the following YAML parameters.

yaml
gateway:
  proxy:
    distributor:
      tls_enabled: true
      tls_cert_path: /path/to/cert
      tls_key_path: /path/to/key
      tls_ca_path: /path/to/ca

      # The following flags are available but are not required.
      tls_cipher_suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      tls_min_version: VersionTLS13
      tls_server_name: component.example.com
      tls_insecure_skip_verify: false